All right. Thank you, everybody, for coming to the Ask the EFF panel. It's so great to
see so many people here filling up this room. We are the Electronic Frontier Foundation.
Thank you.
And it's always a pleasure to come here to DEF CON. There are so many people who have
been great supporters of us here and so many people who are doing interesting things that
lead to interesting issues, trying to help make the world a better place. And we really
also enjoy helping defend the people in this community. No arrests so far. We're going
to hope that for the rest of the weekend. So I'm Kurt Opsahl. I'm one of the attorneys
at the Electronic Frontier Foundation. I do work on the Coder's Rights Project, which
is designed to try and make sure people understand what their legal risks are when doing security
research and talking about it. I also work on some of our other stuff, but what I'll
be talking about next.
What we're going to talk about a bit is the NSA surveillance and some of the recent revelations
in what EFF is doing about it. What we're going to do is we're going to go down the
line here where each of us will talk a little bit about some of the projects that we're
doing and introduce themselves. And then after we have that sort of brief introduction, we're
going to turn it over to you to bring up your questions. There is a microphone over
on this side. So if you have questions, you can just line up in front of the microphone.
A couple of things I wanted to say about the kind of questions. We're happy to talk
about a lot of the legal and policy issues that we do, our technology projects and such,
but this is not the forum to ask for legal advice. We do provide legal advice to people,
but that is something that is best done in a confidential setting. And this is not only
not confidential because of all you fine people who are here, it's also being recorded for
posterity. So it's really not the right place for asking for legal advice. So I'm going
to start with the list of questions. Here I did this thing last night. Was that legal?
Let me just begin with just one of the things that EFFs has been working on that I have
been part of, and that is about the NSA warrant and surveillance program. It's been a little
bit in the news lately. Some of you may have read about it. And we've actually been working
on these issues for quite a long time. In 2005, the New York Times published a report,
reports about a warrantless surveillance program that was rebranded by the Bush administration
as the terrorist surveillance program or at least part of that. The following year the
USA Today published some reports about a program to get the call detail records from various
telecommunication companies. And we have actually from based on the information we learned at
that time a case that we brought representing some people against the NSA and the government
to try to stop the surveillance. That was called JUUL versus NSA. That has been going
on in the courts for years now. But we have recently had a little bit of good news there,
which I'll get to in a second. But I also want to say the second case that was brought
about last month, that was First Unitarian versus NSA. So in the JUUL case, the government
put forward the state secret privilege. Said, hey, this has got some secrets to it that
prevented from being litigated. And so we can't allow this case to go forward. And they
brought up a number of other defenses. And what we have said is that under the Foreign
Intelligence Surveillance Act there is a procedure set out by Congress after the Church
Commission found a whole bunch of misuse of surveillance powers to determine the legalities.
Have a question.
It's not a court rule about whether what it is that they're doing is or is not legal.
And that's the procedure that trumps the state secret privilege. So this case has gone up
and down in the courts. It went ‑‑ we lost an initial round, went up to the appeals
court. We won the appeal, went back down to the district court. And then last month
the district court said the case can go forward. We can go through this under the ‑‑ under
the Foreign Intelligence Surveillance Act. And so that case is ongoing. We're going to
see whether the next move from the government is to appeal that or to move forward in the
district court. After some of the more recent revelations
that have confirmed a lot of the stuff that we had seen before, but provided something
special, I mean, I assume that most people here have been paying a fair amount of attention
to some of the stuff that's come out in the Guardian. One of the things that came out
was a copy of an order that was for Verizon to hand over all of the records. And this
was the call detail record. These are who you called, how long you spoke, and so the
time of the call. And it was for all of them, not just, you know, one end foreign, not purely
foreign, but also all the way down to local calls and on a daily basis they would turn
over to ‑‑
the FBI to hand over to the NSA, or more or less directly to the NSA, this database
of the previous day's calls and then it would be added into the pool for analysis of contact
chains. Basically this is a kind of taking the metadata. The government will say, oh,
it's just metadata. It's not a big deal. But metadata is a big deal. It shows who you call
and that can reveal a tremendous amount about your relationship. It can reveal a tremendous
amount about you.
If you are, you know, all of a sudden you're making a lot of calls to a doctor, that says
something about your health situation. If you are calling, you know, certain representatives
or political groups, it may say something about your political affiliation. There's
a lot that it says about you that doesn't require them to listen to the content of the
call. So this is very important information. It's very sensitive. The new case we filed
last month, First Unitarian versus the NSA.
It was a collection of 18 different political advocacy organizations, church groups, people
who have a right of association, a right to get together with other people who are like
minded and try and act together. And this comes under the First Amendment where a lot
of the other litigation about the NSA has been under the Fourth Amendment. Because that's
exactly what the call detail record program is about, is trying to find out what the associations
are.
That, indeed, that is a First Amendment right. You can organize, get together with like minded
people, try and do collective action without having the government know everybody who
you're connecting with. So that case was filed last month. It's just in the beginning phases,
but we're moving forward on a new angle.
So that's a very brief summary of some of what we're doing on the litigation front
for NSA. And with that, I'll turn it over to Eva.
EVA GALPERIN, Global Policy Analyst, USAID, All right. Hi, my name is Eva Galperin and
I'm a global policy analyst for the USAID.
I work on EFF's international team. There are five of us. EFF is a relatively small
organization and we have a reasonably large number of lawyers who specialize in litigation
within the United States. But in the meantime, the Internet is global and so are we. So it's
up to the international team to cover the rest of the world.
That's a little exhausting. And in some of these places, rule of law is relatively strong.
And so we can pursue our protection of the Internet through policy venues. We can fight
bad laws. We can go to the European Parliament. We can fight, you know, secret trade treaties
like TPP and ACTA in this sort of policy space. But a lot of my favorite work happens in country
countries or working with people who are located in places where the rule of law is
even less strong than it is in the United States. And you really cannot pursue the goal of Internet
freedom through policy venues. And instead, you have to go through this sort of process
of helping users to protect themselves, often using technical tools. So I spend a lot of
time talking to journalists, especially independent journalists in countries where there are a
mere act of independent journalism is almost indistinguishable from activism. Simply having
your opinion and publishing it about the news is an act of activism in many countries.
So I talk to a lot of terrified journalists. And I talk to a lot of terrified activists.
Sometimes difficult to tell the difference. And I spend a lot of time advising them on
best practices for protecting their security and privacy.
And talking about sort of their rights as they travel around and try to publish the
information that they have. So in a lot of ways, I rely on you guys. Because the only
way to really understand best practices is to understand what the threats are on the
Internet right now and what kind of threat models people are looking at. And what both
governments and individuals are capable of doing when it comes to compromising people's
privacy and security. So I follow the hacker community very, very closely.
This is my seventh DEF CON. Not in a row. I think the first one that I ever attended
was in 1998. It was a much smaller room. So one of the things that I wanted to talk
about really quick was while most of the people here are going to be talking about
what they can do for you, I'm going to talk a little bit about what you can do for me.
The biggest project that I was working on last year was the project in which we were
finding documents.
Documenting, reverse engineering, and then writing up the reports on Syrian malware,
which pro‑Syrian government forces sympathetic to President Assad were deploying to spy on
activists throughout Syria. The idea being that even if you're using encryption, that
they would install ‑‑ surreptitiously install a root kit on your machine, therefore
bypassing all of your precious, precious encryption.
And all of the good advice that I could possibly give to Syrian activists.
So we spent a lot of time tracking down this malware, reverse engineering it, and writing
up reports. We had those reports translated into Arabic because there's no point in writing
them if they can't be read by the people who are being targeted.
And this was actually very successful. And as a result, I have terrified activists coming
to me with more malware from all over the world. From places like Ethiopia and Vietnam,
and occasionally China. There are a lot of people who reverse Chinese malware.
And so what I really need from you, show of hands, who here reverses malware? Anybody?
Anybody? I see some hands. I need you all. And over here.
Yeah. So I need you all to come talk to me after this talk. Because I have ‑‑ I
have more terrifying malware than I have reversers. And this is where I go to pick up more reversers.
So I desperately need your help. I am here to answer questions about anything
involving the rest of the world. Including Julian Assange. I can talk a little bit about
Julian Assange. We'll get there. So, yeah, Julian Assange,
Edward Snowden, TPP, China, Iran, all kinds of terrible malware, Gamma, FinFisher, U.S.
companies selling to authoritarian regimes in Turkmenistan. So that's what I do. And
if you have questions about that, I'll be happy to answer them later.
Hi there. My name is Marcia Hoffman. I was a senior staff attorney at the Electronic
Frontier Foundation for a long time. I was there for seven years. And I left just a couple
months ago to start my own little private practice focused on technology law, very specifically
privacy issues, copyright issues, hacking and security‑related things, free speech.
And I remain involved with EFF as a fellow. And so that's why I'm here on this panel today.
Because I'm still an EFF fellow. And I also became an EFF member last night for the sole
selfish purpose of getting the totally amazing rocking EFF DEF CON T‑shirt. I don't know
if you've seen the new one. But you should visit the booth and check it out. It's really
amazing and fantastic. I love it.
So I wanted to talk to you today about a case that I became involved in while I was still
at EFF. But when I left, I remained involved in it. And EFF is also involved in it. So
we're partnering on it. This is a case some of you may have heard about. It's called United
States versus Auerheimer. Just show of hands, how many people have heard of this? Okay.
You may also know it as the weave case or the iPad hacker case. Does that ring any bells?
So let me tell you what happened in this case.
There's this guy named Daniel Spiller. And he notices something interesting about iPads
a few years ago. Specifically what he notices is that if a person has an iPad and wants
to go set up a data plan on that iPad, then the person goes and visits the AT&T website
using the browser on the iPad. And when they visit the browser, they see
a pop‑up window that has pre‑populated in the pop‑up window the account holder's
e‑mail address. And then the account holder is supposed to type in the password to get
into the account. And he notices that when you see this pop‑up window in the browser,
in the URL, there is a number. And he recognizes that this is an ICC ID, which is a unique
identifier associated with the SIM card of the iPad. So basically what was happening
was the AT&T servers were recognizing that this is this particular iPad. AT&T knows
that this is this ‑‑ this iPad is associated with this account holder. So then they pre‑populate
the e‑mail address. And he says, oh, well, I wonder what happens if I change that number?
What if I change one digit? And boom, there's a different e‑mail address.
And so he wrote a script that basically just iterated through the ICC IDs in the URL. And
he managed to harvest about 140,000 e‑mail addresses this way. And then he ‑‑ while
he's in the process of doing this, he goes online and he tells some of his friends there,
oh, my God, I just figured out that AT&T does this thing and I wrote this script and
I'm harvesting this stuff. And one of the people that he was speaking to about this
is this guy named Andrew Aronheimer, who is also known as Weave. Weave says, well, we
We should see if in that list of e‑mail addresses there are any reporters and we can
tell them about this and maybe they'll write about it.
So they identify several reporters, including a Gawker reporter.
And Weave sends them an e‑mail and explains the situation, frankly in rather provocative
terms to attract attention.
And then Gawker published a story about it.
And both Spittler and Weave were then indicted on two felony counts each, conspiracy to violate
the Federal Computer Fraud and Abuse Act and identity theft.
So basically the government's argument for the violation, the conspiracy to violate the
Computer Fraud and Abuse Act was that Spittler's script, his access to AT&T's servers, amounted
to unauthorized access to protected computers.
And I think that this is a really concerning interpretation of the law because this is
information that AT&T published on the Internet.
It was hidden.
But there was no barrier in place to protect that information.
There was no password.
There was nothing.
AT&T basically just hoped that people would never notice it was there.
And so.
So what ended up happening was Spittler cooperated with the government, testified against Weave,
and in November Weave was convicted on two felony counts, sentenced to three and a half
years in prison and ordered to pay AT&T $73,000 to compensate them for what they needed to
do to rectify the situation.
And we are in the midst of appealing this case.
EFF is on it.
I'm continuing to work on it pro bono.
We're joined by Orin Kerr, who is a very well‑known and respected computer crime professor.
And Weave's trial counsel, Tor Eklund and Mark Jaffe.
And we're partnering to appeal this to the Third Circuit Court of Appeals.
We filed our opening brief in July, July 1st.
And the government's opposition will be filed in just a couple of weeks.
And so that's kind of the deal with that case.
And if you have questions about it, of course, I'll be happy to discuss or any number of other
things that you want to talk about.
Thank you.
MITCH STOLTZ, ATTORNEY AT EFF AND THE INTELLECTUAL PROPERTY TEAM.
I apologize in advance for the effect of a very old kind of malware known as a head cold.
So bear with me and I will keep this brief.
I work on cases where intellectual property laws like copyright, patent, although I'm
less of a patent expert, and some other random laws interfere with freedom of speech, freedom
to build, freedom to tinker.
And I'll just quickly mention two things that are, you know, probably, you know, really
current issues and probably of interest to some of the people here.
One is the Digital Millennium Copyright Act.
This was a law passed 15 years ago.
And part of it is a federal civil and criminal ban on breaking what's commonly known as DRM,
so digital access controls on copyrighted works.
This ‑‑ for the start we think was a bad premise.
Because ‑‑.
With a few generally not that useful exceptions, it is illegal to break DRM even if you are
breaking it for otherwise legal purpose.
Now there are some exceptions, but those exceptions are hard to use for the most part.
They protect certain people and not others, and there is a process where the Library of
Congress ‑‑.
The Library of Congress can pass new exceptions every three years.
The problem with those is they are generally very narrow, and they only last three years.
What happened this year, a couple of things that were interesting, in the last three year
cycle, which was 2009 to 2009 ‑‑ beginning of 2009, EFF asked for and got an exemption
for ‑‑.
A declaration of a shield against lawsuits for people who want to install unapproved apps
on a mobile phone device.
And at the time there was another group ‑‑ actually this was EFF at the time, also got
an exemption for unlocking.
That is for modifying a smart phone to a mobile device.
To use it on a different wireless network.
Different cellular network.
What happened this year, we successfully renewed the exemption ‑‑ sorry, in 2012, we successfully
renewed the exemption for jail breaking, but the Library of Congress decided not to
renew the exemption for unlocking.
This was really strange to a lot of people.
And the way it was reported in the press, mostly accurately.
Was the Librarian of Congress says that unlocking your phone to switch carriers is now illegal.
Maybe not true, exactly.
A couple of courts have gone one way, a couple of courts have gone the other way.
There is no connection to protecting copyrighted works here.
Which is arguably what this law was supposed to do.
But some of the major cellular networks, the cellular carriers have claimed and continue
to claim.
That if you unlock your phone or if you hire someone to unlock your phone without their
permission, that they can sue you and that there may even be criminal penalties.
This is separate and apart from your contract.
Obviously you break a contract, usually you have to pay an early termination penalty.
This is something everybody understands.
It's a bargain that you make when you sign up for mobile phones.
Phone service.
This is on top of that.
The claim that because of this law that was supposed to protect and restrict, for example,
the encryption on DVDs, because of that law, you can't change carriers without the current
carrier's permission.
Really fairly ridiculous.
Now there's a bill going through Congress.
Just passed out of a house committee last week.
That would fix in a very narrow way this very specific problem about phone unlocking.
But only for the next two years.
And without getting at the deeper problem, which is this law is used as a club to stop
and to punish lots of things that could be called circumventing a digital access control.
I don't know.
Going beyond just protection of copyrighted material, movies, music, and so on, books,
to really being yet another kind of anti-hacking law that gets used as a club, you know, we
are looking for ways to hopefully get Congress to fix this law in a more really comprehensive
way.
But in the meantime, we continue to ask the Library of Congress for exemptions.
And we're interested in hearing people's stories about how they ‑‑ you know, in
what circumstances do you need to circumvent or undo or avoid digital access controls?
And if you've ever been legally threatened for those things, those are things that we'd
be interested to hear about, you know, in private and confidentially.
Or if you have thoughts about that law.
And the other area that I'll mention briefly is patent trolls, which has been a really
big area for us this year and for the country.
We've seen really strong statements out of the White House, a lot of sectors of the digital
technology economies about patent trolls.
Now what are patent trolls?
There's not a really widely accepted definition.
But generally speaking, we're talking about companies that don't build or produce or sell
things.
They simply own patents.
Excuse me.
They simply own patents and sue over them.
The really damaging ones are in the information technology space and in the Internet space.
So for example, recently there's a company that has been threatening bloggers with a
patent infringement lawsuit because they claim to own a patent that covers some really
basic aspects of web publishing, things that really have been done for over a decade.
Excuse me.
It was the other one recently.
It will come to me.
There's a number of things that are being done.
There's a number of things that EFF is doing.
We just launched a site called trollingeffects.org.
.org.
the legal threat letters that people have received from patent trolls or likely patent
trolls, see if we can develop a picture of who is doing this, what patents do they actually
own.
It's hard to tell who owns what because they tend to use shell companies and if you will
false identities when they send these demand letters.
But if we can get ‑‑ if people send them to us, to trollingfects.org, we will be able
to hopefully get a picture of who is doing what and it can be a resource for people who
get a threat letter to figure out how legitimate it is, whether this is a company that is likely
to actually sue, so on and so forth.
So again, we would be interested to hear from you how patents on software, patents on protocols,
patents on communications.
Communications technologies, et cetera, have affected you, and I'll leave it at that.
Hi, everyone, my name is Dan Auerbach, I'm a staff technologist at EFF, we have a team
of four technologists, and part of my job is to provide technical support for the organization
in terms of if someone wants to know what's an IP address or how does network address
translation work or these sorts of questions.
I give that.
I give that information to our legal team and activism team and to journalists.
But today I wanted to give an overview of the other aspect of what we work on, which
is we have a bunch of tech projects.
A kind of theme of our tech projects is encrypting the web.
So this is kind of a mission that we have at EFF to try to encourage the adoption of
HTTPS and the use of HTTPS as much as possible.
And we've been encouraged with recent news based on the leaks, the NSA leaks, that encryption
does seem to work.
The NSA doesn't have some sort of magic ability to decrypt things, which is great news.
And it means that we really need to deprecate HTTP.
We need HTTP to become like Telnet to what SSH is now.
Thank you.
And so towards that end, we have a project that we launched in 2010, which is called
HTTPS Everywhere.
It's a browser extension for Chrome and Firefox.
This is probably our most visible project.
And the way this works is there's just a giant list of rules, and your browser understands
that some websites offer HTTP.
And so HTTPS Everywhere encrypts those connections.
It recognizes, hey, this is a website like Wikipedia until today, I believe, which by
default was over HTTP.
But with our add-on, it would encrypt that traffic.
So that was kind of our first foray into this area.
But then we started noticing, well, HTTPS is great.
But PKI, public key infrastructure, the certificate authority system, seems really problematic.
And so what we did next was this project called the Observatory, where we did a scan
on port 443 of the entire IPv4 Internet, and we collected all the security certificates.
And with that, we made a map of the existing certificate authorities and the relationships
between them.
So some certificate authorities are root, and they're trusted in your browser.
Others are intermediate.
Some certificates can be cached by the browser, even though they're not explicitly trusted.
So it's kind of this messy world of how certificates are handled.
And for people who kind of follow this issue, it's well known that PKI is pretty broken,
that we need to fix it.
But the Observatory was kind of a tool that we tried to use to study that.
We also have something called the decentralized SSL Observatory, which for HTTPS users on Firefox,
you can opt in to sending us the certificates that you see as you browse around the web.
And so this is a way for us to detect attacks.
So for example, if your browser thinks that it's seeing a valid certificate for Google.com,
but we notice, whoa, this is very different than a lot of other things.
Of the other certificates we're seeing, we'll be able to warn the user about that.
And we also will be able to kind of get some more information about the ‑‑ how certificates
vary from region to region and how web servers generally deploy their SSL certificates.
So that's kind of some of our projects in the vein of encrypting the web.
But we also have other stuff we work on, too.
So another ‑‑
Another area that we've been kind of investigating lately is the issue of nonconsensual tracking
on the web.
So ten years ago when you visited a site like the New York Times, your browser loaded
resources mostly just from the New York Times.
Now if you inspect ‑‑ when you load the New York Times and you, you know, open a debugger
to see all the resources you're loading, it's from maybe dozens or hundreds of different ‑‑
companies, many of which are kind of invisible third‑party trackers which are amassing browsing
histories of users.
So we think this is really bad.
People don't know about it, and it's happening more and more.
There is an effort called Do Not Track which was supposed to help mitigate this problem.
But unfortunately, the W3C Tracking Protection Working Group, which I'm on, has stalled quite
a bit.
And so users are left with a few different options.
They can install an ad blocker, which I'm sure many of the savvier people in this room
have already done.
But advertising does form a significant portion of revenue on the web, and we don't think
that you should have to block all ads in order to stop tracking.
So what we did is we are building a tool which is actually an experimental Chrome extension
which you can download now.
It's called the EFF Tracker Blocking Laboratory.
And so what we thought we would do is add to the ecosystem of blockers by, instead of
having a list‑based blocker, like most blockers today, if you use Adblock Plus or
Disconnect or Ghostery, there's kind of a manually curated list and a central crawl.
What we're doing instead is it's a heuristic‑based blocker.
So we, from within the browser, as you browse around, we notice, hmm, this domain seems
like it's tracking you, and we block it based on that.
This is very experimental, but this is a direction we're going to try to add to the ecosystem
so that we can hopefully eventually land a feature like this in browsers so that we
can start to fight back more against this non‑consensual tracking.
And then finally we have a project to promote open wireless access.
So we are trying to make it easier for people to ‑‑ we're trying to make it easier
to provide open wireless guest access with a de‑prioritized ‑‑ sorry, with a second
wireless LAN that's de‑prioritized so that your bandwidth isn't affected, and we're trying
to think about how to build security properties into that open wireless solution.
It's actually the case that WPA2 doesn't provide much security, especially at a conference
like this.
It's essentially an open network.
Because everyone has the password.
So we're looking at ways to get WPA2 kind of equivalent security for open networks.
So that's just a little overview of some of our tech projects, and if you have any
questions about any of those, I'm the guy to ask.
Thank you.
MARK JACOX, LEGISLATIVE ASSISTANT FOR EFF, WORKING FOR THE LEGAL AND ACTIVISM
TEAMS.
Hi, everyone.
I'm Mark Jacox.
I'm working with, dealing with Congress and legislation, and also blogging, helping out
run coalitions and things like that.
I'm going to give probably just a quick overview of my year with what we've been doing and
what we've been working on.
And so the year kind of started off with the CISPA, which is the Cyber Intelligence Sharing
and Protection Act.
And before the leaks, it was ‑‑ this was a law that granted broad legal immunity for
companies to bypass the privacy laws.
And to share a lot more information.
So we started off the year with that.
Congress year after year has continuously pushed cybersecurity, really online security,
network security bills.
All cyber talk has taken over Washington, D.C.
They often ‑‑ at least the language they offer is not very technical.
The terms are always pretty bad.
And so we started off this year with the House debating this issue.
And kind of arguing for these massive exemptions.
And we ‑‑ over the course of a few months, we had a very large campaign to combat this
bill.
And it was one of many bills that comes back every year.
And so it was ‑‑ this was in the House.
We created a CISPA is back campaign, kind of a zombie bill that comes back.
Last year we had defeated it.
This year in the House it had passed.
But we ran a big campaign.
We ran a pretty successful campaign with numbers we haven't seen since the SOPA campaign.
We had over 100,000 signatures against this bill and a very good show out of congressmen
coming out against this bill.
And it was such a good showing that ‑‑ and we were able to do such a good job with the
help of the community that the Senate, you know, saw the bill, looked at a lot of our
critiques and agreed with the massive privacy invasion that the bill had.
They also agreed that it wasn't the right way to really deal with online security or
network security.
When it comes in the federal government and private companies.
And so the year kind of started out with that.
Fortunately they have kind of stopped pushing that, these types of bills.
So far we'll see with the recent leaks.
And it's segued ‑‑ we moved on and segued into CFAA reform, so the Computer Fraud and
Abuse Act.
And for the past, you know, from probably January until June.
It's been a long time.
EFF, along with Stanford and CDT and Demand Progress has been pushing for CFAA reform,
especially in light of Aaron.
And it was a really big issue and it is really important to us, it's important to the community.
And so we have this coalition, a pretty broad left‑to‑right coalition, and we spent,
you know, many months putting the pressure on Congress, creating a campaign from a wide
and diverse set of individuals.
To ‑‑.
To change the Computer Fraud and Abuse Act, to decrease the penalties in it, to clarify
the law so that it can't be abused and it's much harder to be abused by the Department
of Justice and by companies.
And to make sure that it's actually used for its original intent.
Right now CFAA on the civil side tends to be used a lot more for trade secrets than
for protecting against hacking.
And that shouldn't be the case.
And so after many months ‑‑ in the ‑‑ about a few weeks ago.
Actually, four weeks ago, three or four weeks ago, Jim Sensenbrenner and Senator Wyden
introduced Aaron's Law.
And so this is a law that decreases some of the penalties, doesn't allow the government
to bootstrap multiple penalties to jump up the prison time, and clarifies and incorporates
the two better judicial decisions that are out there in the Ninth and Fourth Circuits.
And so right now we have ‑‑.
This is one of our major campaigns that's going on.
And we actually have a phone booth that we brought that's in the contest area that is
a direct line to Congress so you can call up the Congressional switchboard, ask for
your rep, and give them your mind and speak to them about it.
Because if anything, I mean, especially with these bills every year and kind of how D.C.
is ‑‑ has been for a while.
But it's ‑‑ it's starting ‑‑ it's starting to change.
It's starting to get right in our faces that it's time for the community to really push
back.
And it's time for the community to engage with them and tell them what's up.
And so that's one of our bigger campaigns.
It's a pretty cool 80s phone booth that we have.
And so, yeah, I encourage you to go to the contest area and check it out.
We also have another thing that is part of CFA reform is the security researcher's letter
and letter to Congress from the community, from DEF CON.
B-Sides also.
And the letter demands Congress to take up CFA reform, which increasingly looks like
a possibility and that they're going to do, do it and move it.
And it's a letter from the community and from security researchers pretty much pushing for
Aaron's Law and pushing for CFA reform.
And so that's kind of our ‑‑ what's been going on with CFA reform.
And it does look like that they are listening.
And the campaigns have been pretty fantastic.
So far.
And the response from the community has been fantastic so far.
And it looks like they will pick it up.
They're going to discuss it.
There will be hearings on it.
And we'll see where it goes.
I mean, it's something that EFF is going to continue to push for and so is demand progress
both in the courts and in front of Congress.
And then coming off of that, obviously what happened next, right, so that was probably
right until June, mid‑June, and what happened next was the NSA spying leaks.
And focused around that.
We just have had ‑‑ there are over, you know, ten bills to fix this.
We had overnight campaigns launching, especially with the most recent ‑‑ the first time
since the leaks that Congress has had to speak out on this, the Amash Amendment, which
I don't know how many people know about, but it was an amendment that would essentially
defund and curtail one part of the spying, the use of the Patriot Act and the calling
information that Kurt was talking about.
And so, you know, since the leaks, my ‑‑ pretty much what I've been doing is focusing
on the legislation.
The legislation deals with a variety of things from fixing Section 215 so that this kind
of bulk spying can happen and doesn't happen to fixing the ‑‑ the spying is overseen
by the secret surveillance court called the Foreign Intelligence Surveillance Court, FISA
Court or FISC for short.
FISA Court is my preferred term.
Okay.
So these bills, you know, half of these ten bills deal with exposing the legal opinions
and the legal rationales that the government proposes to the secret court and remain top
secret.
You know, we don't ‑‑ this is secret law that none of us get to see.
It's interpretations of the Fourth Amendment, interpretations of the statute that we haven't
seen.
And so these bills push for transparency around those opinions and also just pure structural
reform of the court.
Making sure ‑‑ the court right now is composed of people selected by the Chief Justice
of the Supreme Court.
He nominates them and confirms them.
And so we have a couple of bills that push for ‑‑ we're not pushing for it, but
the Senators have a couple of structural reform bills that were just released this
week and we should be blogging about shortly once I get out of here.
And so that's part of the NSA spying and the most recent thing was the Amash Amendment,
where the Amash Amendment ‑‑ there's an amendment again that was going to curtail
part of the Section 215 program, just a pretty blunt instrument, an amendment to the defense
budget bill.
And the House has the right, they have the power of the purse.
And so we found out ‑‑ this was an amendment that we had known about for a week or so.
It was unclear ‑‑ and the House works ‑‑ the way the House works is that the leadership
decides what amendment gets thrown to the floor.
So we didn't really know that this was going to come to the floor.
And we found out, you know, about 7 o'clock the night before.
And overnight we had a pretty aggressive campaign from across the board again, you know, ACLU,
CDT, Demand Progress, Free Press, a whole bunch of people, Tech Freedom.
And overnight we pretty much created an activism campaign, riled up support, a lot of people
picked it up, the community reacted brilliantly, and we got the best vote that we've got since
the reauthorization of these laws.
And it's a tremendous step forward.
It's really a clear signal from Congress that they are ‑‑ in my opinion, it's a clear
signal from Congress that they are very dubious of how Section 250 is being used and they
want to change it.
And so that's kind of been my first ‑‑ or the first six months of this year.
It's been really fun.
It's been really intense.
And that's kind of what I've been focusing on.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
All right.
Well, now it's time to get your questions asked and answered.
So anybody who has questions about anything we just discussed or other aspects of EFF's
work, please come to the microphone here and we will do our best to answer your questions.
The FISA Court seems to my mind to be a secret court as a tool of a police state.
state, what would it ‑‑ I mean, it seems like it probably has a thin justification.
And what is the justification and why can't that court be abolished in total?
So the question is what is the justification for the Foreign Intelligence Surveillance
Court?
The Foreign Intelligence Surveillance Court was created by the Foreign Intelligence Surveillance
Act, which oddly enough was actually an attempt at reform, which is to say that there was
previously no courts that were being involved.
And so they created the Foreign Intelligence Surveillance Court in order to have judges
be involved.
So in that sense, it was an attempt to bring some aspects of the judiciary into it.
But what has happened is that as a secret court, it is doing secret reinterpretations
of the law.
And these have gone into some very strange ways.
And I'll just give one sort of example of where this has gone in some very weird directions.
So the law that allows the government, or the government says it allows, to get your
phone records is Section 215 of the Patriot Act, and Section 215 says, amongst other
things, that you can get business records that are relevant to an authorized investigation.
And under that secret interpretation ‑‑
Of the law, all of the records of all of the people for all of the time are relevant
to an authorized investigation.
And we haven't seen what that interpretation is.
But I'm really curious to see it, because I think it's going to be an amazing piece
of BS, right?
I mean, how can you make it so that everything is ‑‑ it means relevant becomes essentially
a meaningless word.
There's no difference between that statute with the word relevant and without the word
relevant in terms of what you can get.
And, you know, interestingly enough ‑‑
Censon Brenner, Representative Censon Brenner, who was actually the author of that section
of the Patriot Act and supporter of the Patriot Act when it passed, he has agreed that that
was not what it meant to say.
So this is where the problem has to come with the secret FISA法.
Well, wouldn't that require 310 million search warrants?
I mean, the Katz case, and ‑‑ that can't be legal.
Well, I mean ‑‑
The Fourth Amendment says you need a search warrant.
For ‑‑
Or 310 million.
If every ‑‑
It's true.
Illegal and unconstitutional are not the same thing, but we think the program is both
illegal and unconstitutional.
You talked about EFF's add‑on for blocking tracking cookies.
How does your approach compare to Firefox?
Firefox's approach of blocking third‑party cookies by default and then having a cookie
clearinghouse to create whitelists and blacklists based on privacy policies?
Sure.
So ours is not a third‑party cookie blocking in general.
How it works is it's more like an ad blocker.
So first of all, it's not just blocking cookies.
It actually, like, black holes resources, similar to the way many ad blockers work
today.
So if you look at kind of the spectrum, there's blocking based on very general metrics, like
block all third‑party cookies, and then there's here's a list of particular resources
you should block.
And we're trying to kind of find somewhere in the middle ‑‑ I mean, we think both
of those approaches are valuable, and users should install an ad blocker and they should
disable third‑party cookies in their browser, but in addition, we wanted to add to that
by having this middle end.
It's sort of functioning like an ad blocker, except as you browse around, it's dynamically
updating the list of resources that should be black holed.
So I hope that answers the question.
Yes.
Thank you.
Hi, there.
I also wanted to ask about the marketing firms, like private sector marketing firms and the
non‑consensual tracking piece of it.
You know, you hear a lot of stories about people, like, browsing for baby stuff.
And then getting catalogs for maternity wear two weeks later, or, you know, marketing
that can look where your mouse goes and so on.
So I guess my question is, you know, how bad are the capabilities of these private
sector marketing firms in the first place?
And then secondarily, are they being subscribed to by governments in order to turn that anonymous
metadata into uniquely identifiable data?
Those are great questions.
And the short answer, I think, is we don't really know.
We don't know too much about ‑‑
We don't know about whether the government has gone to these firms to request data because
those requests are secret.
Some companies are starting to publish transparency reports, but these are generally the larger
tech companies that have first‑party presence, like Google and Facebook and Microsoft and
Twitter, but not the invisible third‑party ad companies that you've never heard of.
So we don't really know what data is being requested of them.
As far as what abilities they have, also it's hard to know.
I think there's a lot of data that gets passed around in the background because right now
it's the wild west.
There's just no rules about what you can do or can't do with user data.
So it's probably safe to assume that a browsing history associated with a pseudonym is in
the hands of many companies if you ‑‑ the corresponding to you if you're browsing around
the web.
So that's kind of a half answer, but that's the closest we get to really knowing.
I wanted to add on to that.
One of the aspects of this are data broker companies, commercial companies that collect
information from a variety of sources and repackage that and make that available for
commercial sale.
And I think that you should basically rest assured that the government has purchased
subscriptions to these services.
I can say that there has been some FOIA work done by the Electronic Privacy Information
Center, or EPIC.
That confirms that ‑‑ confirmed that several years ago.
Thank you.
I have kind of a two‑part question about the Computer Assistance for Law Enforcement
Act.
I don't know if maybe ‑‑ you can ‑‑ okay.
Yeah, I wrote an article earlier this year, pretty foolishly, which the title inferred
that the FBI was planning on surveilling our real‑time online communications.
That was before the NSA.
That was a revelation.
So the two‑part question, I guess, is, one, is CALEA receiving enough, I guess, awareness
in the public?
Is that still a threat?
And I know that the FBI made some statements several times, one of their previous legal
counsels and, of course, later this year, about their desire to expand CALEA to allow
for real‑time online surveillance.
As well as extending some of those privileges to local law enforcement.
And then the second part of the question is, concerning jurisdiction, if, for instance,
a local law enforcement agency had permission to do surveillance online, I mean, how exactly
do you think that that would work?
Obviously, like, it's difficult for them to identify where the person is when they're
doing online surveillance.
And I see that kind of as the equivalent of someone from, like, law enforcement.
Las Vegas police department coming to my home and in a different state and performing
a search.
So I'll just answer as to if CALEA is still a threat.
And then, yeah, I think Kurt, Marsha, and Eva can tackle the other stuff.
Perfect.
So the answer is, yes, definitely, but what we've seen is the government become very
reticent and nervous.
They've been very nervous about discussing CALEA or discussing ‑‑ I'll jump back
to the online security bills, the cyber security bills.
They've been very nervous because it's completely outlandish, right, for them to push such bills
when we still don't know what's going on with the surveillance, we still don't know what's
going on with how they use the FISA, the Foreign Intelligence Surveillance Act, and
things like that.
So I would say it is still very much a threat.
And it's something that, you know, we as a community, we as EFF, are ‑‑ have to
keep our toes on because, right, the second we fall asleep or the second, you know, we
miss something, they may try and slip it in or they may try and continue to push it.
But for now, I don't think ‑‑ for now, at least for now, though, short term, right,
next month or two, I don't think it is a threat.
But definitely medium to long term, it's something that they've been very vocal about, and it's
something to watch for, and, you know, I really hope that we don't have to go through another
crypto war.
Yeah.
And I just wanted ‑‑ I'd like to add, like, in terms of, like, you know, I think,
extending those abilities down to local law enforcement, the first time that was discussed
with their legal counsel in front of the subcommittee in Congress, the two examples they brought
up were the importation of drugs and, like, child pornography, which are not national
security issues.
To be clear for everybody here, CALEA does not at this time include the ability to wire
tap the Internet.
Yeah.
And there's actually been a lot of questions about whether or not this includes Skype,
which is a voice‑over IP service, and it is used by hundreds of millions of people
all over the world.
Until fairly recently, until a couple of years ago, Skype was a European‑based company and
therefore was not even potentially coming under CALEA because it was out of CALEA's jurisdiction.
But.
But when Skype was purchased by Microsoft, suddenly there were questions about whether
or not Skype would be required to include sort of backdoor wiretapping capabilities
in order to comply with law enforcement requests.
In order to clarify this, EFF was part of a coalition of individuals and NGOs that wrote
a letter to Microsoft requesting a transparency report on Skype.
Saying, hey, if you want to use Skype, you can use it.
If you could just clarify whether or not you're tapping hundreds of millions of users' voice‑over
IP phone communications, we'd really appreciate that.
So in a very gratifying moment, Microsoft did us one better.
A few months later, they came out with a transparency report for all of their products, including
Skype.
And if you take a look at Microsoft's transparency report for Skype, it says we have never given
up any, you know, any phone communication.
Phone calls, any content data, anything to the governments in response to a request to
any government.
Then the Snowden revelations came around and we started looking at the prison slides, which
actually included Skype as a source of content.
And a lot of the other Snowden revelations have seriously implied or outright stated
that at one point or another, the NSA has had the ability to tap Skype communities.
So I think that Microsoft and Skype have a great deal of explaining to do, and it's
really unclear the extent to which the NSA is capable of eavesdropping on Skype communications.
One of the things that does appear to be clear is that they're probably not doing it under
the auspices of CALEA, that they have a different legal justification for doing this.
But it could very well be happening, and we are very interested in learning just what
the extent of that eavesdropping is.
And whether or not Microsoft or Skype were really capable of telling us that it was going
on.
I just wanted to briefly address your jurisdictional question.
CALEA is mostly about requiring service providers to have tapability, like the ability for law
enforcement to be able to get telecommunications that went over them.
But where they're getting the authority to do the wiretap comes from a lot of the information
from other sources, so you have, like, the wiretap, some kind of information would be
obtained through a warrant that is obtained through the wiretap act.
If they are going through the foreign intelligence surveillance court, there are processes there
like ‑‑ I guess the jurisdictional question was sort
of about their desire to sort of extend these realtime surveillance powers down to local
law enforcement.
Well, local law enforcement actually has wiretap powers.
Right.
And if they go to a court and get an appropriate court order, then local law enforcement can
do taping.
Okay.
Not on the Internet.
Right.
And not under CALEA.
All right.
Thank you.
Also free weave, and thank you for bringing that up.
So my question is, like, we all get to go home at the end of this and go back to our
families.
But the guy who started this whole conversation is locked in an airport terminal.
He's out now?
Okay.
I haven't seen a newspaper in Vegas since I got here.
Well, how can we help him?
How can I help him?
How can we help him?
He's stuck in Russia, though.
Yeah.
He's stuck in Russia where the food is notoriously bad.
In terms of the news, I mean, I guess to make sure everybody caught it, the Russians
granted him a one‑year asylum.
So he is no longer in the airport.
Thank you.
Thank you.
Thank you.
We just applauded the Russians.
Don't be fooled.
I mean, the Putin government is not a wonderful government.
They are very authoritarian and they've done some terrible things.
Especially with the Internet.
Especially with the Internet.
Yeah.
I mean, this is part of a global power play between the United States and Russia.
And that just sort of happened how it happened to play out here.
But one of the things I think that is sort of very important about this is, you know,
what we're trying to do, especially with some of the work that we're doing, you know, with
filing new lawsuits, pushing forward with that, going to Congress, trying to get better
legislation, is take advantage of what Snowden has put out there.
That, you know, he put this information out there, not for himself, but for all of you
so people could find out what was going on and the ‑‑ what we can do with it.
So we have all this information.
Study it.
Figure it out.
Figure out what's going on.
And see what we can do to stop illegal and unconstitutional surveillance.
So on the topic of Snowden and Weave and others, what are the federal definitions of whistleblowers?
How does the government get around that in order to prosecute someone in a criminal or civil case?
And what protections do we have?
So whistleblower law is primarily ‑‑ the whistleblower laws are designed to protect
people who go to the government to whistleblow.
So what the government's position on this actually is like, oh, yeah, you should have
gone to your supervisor at the NSA and told them all about it.
And, you know, they will take it up the appropriate channels.
And some people have tried to do this and have not gotten responses.
I mean, there actually may be a lot of people who are part of the system who have gone
through the existing whistleblowers, talked to the inspectors general, you know, talked
to, you know, appropriate people.
And, of course, we never found out about it because the people upstream just ended the
inquiry.
So unfortunately, the protections for whistleblowers who are whistleblowing to the press and to
the public are not very robust in the laws because a lot of times the government is actually
not that keen on things coming out that way.
But there's actually a number of really good organizations that focus on whistleblowers,
whistleblowers.org and the Government Accountability Project.
They focus and try and help people who are interested in blowing the whistle.
So if you know someone who has information and wants to blow the whistle on it, those
are really good resources for them.
And then on the topic of CFAA and Booz Allen and other very interesting curious
government contractors, so when you would end up, like, breaking into something that
is owned publicly and that's clearly in violation of intended access, so does that mean that
the people that would be working for the government to build stuff like that are actually
committing felonies?
And are they at risk to get prosecuted by that if, for example, they blow the whistle
on something?
It's like if you install a root code on a device and it's intended to go affect China,
but you're still effectively jailbreaking the device to add different firmware.
Let's see if I can try it.
So I'm not really sure about your question, but let me see if I can rephrase it or see
if I understand it.
You're talking about somebody who is working for the government and in the course of their
work for the government they get access to a device or exceed authorized access?
Yeah.
So if they are doing so lawfully, that is to say pursuant to a warrant that authorizes
the access, that's one story.
And if they're doing it unlawfully, which is to say because it is exceeding what they
are allowed to do under the Constitution, it's a different story.
And it would be illegal.
And in some circumstances you can prosecute government officials who exceed their authority.
But the law is actually fairly friendly to law enforcement officials who overstep bounds.
And it sort of comes down to whether you are exceeding a clearly established constitutional
right.
So if it's the first time that the courts are dealing with the question, there's a bit
of a pass and there's a question of sort of whether it was intentional misuse.
It is fairly rare for a government official who exceeds their authority in a manner that
the government wanted them to do to get prosecuted.
If somebody exceeds their authority in a manner that the government didn't want them
to do, then absolutely they would ‑‑ they're at risk of being prosecuted.
I'm thinking more in terms of civilian contractors, people that aren't government officials
but are still producing stuff that the government purchases.
I think that there are less ‑‑ I don't know.
There are less protections, but if they were doing it pursuant to a lawfully authorized
warrant, then that should provide protection.
There's a lot of things in the law where it says good faith compliance with a lawfully
authorized warrant can be protected.
If somebody is not acting in good faith, if they're doing something, if they knew that
it was illegal, then there might be something that could go forward.
But I think it's unlikely that Booz Allen will find itself indicted or prosecuted for that.
I will also say that the CFAA has an exception for any lawfully authorized investigative,
protective or intelligence activity of a law enforcement agency of the United States
or of any intelligence agency of the United States.
And so, you know, particularly to the extent that a private contractor is doing work on
behalf of the government in that vein, I think, you know, the statute pretty clearly wouldn't
apply to them.
Yeah.
Okay.
Thank you very much.
First I wanted to say thanks.
I appreciate everything the EFF is doing to protect our rights.
We supposedly already have.
I wanted to continue in the vein of whistleblowers.
How can grassroots or legislative reform help to protect leakers and whistleblowers?
Because I think, you know, if you study history, you see that governments are always prone
to abuse and to becoming oppressive at various points.
And we need leakers and whistleblowers like Snowden.
So how can we, as an Internet-savvy community, solve that bigger problem of protecting, like
with the Pentagon Papers, you know, restoring some of those protections to leakers and whistleblowers?
Yeah.
Yeah.
Yeah.
In general, there are a couple of things out there.
I mean, there's an attempt to get a federal reporter shield law.
Now, this gets at the problem in a little bit of a different direction, which is to
say it protects journalists from having to disclose who their sources were so that if
somebody goes in confidence to a journalist and says, you know, here's the evidence of
wrongdoing.
And the government says, okay, who gave that to you?
If there were a federal shield law, they would be able to say I'm protected by the shield
law.
I don't have to disclose who my source is.
A lot of states have shield laws.
Some of them are very protective.
Some of them are modestly protective.
But there is no federal shield law.
And then there's also the First Amendment and its protections for freedom of speech
and freedom of the press.
And how that has shaken out in the courts is that on the whole, you ‑‑ there are
protections for having ‑‑ reporters having to give up their sources, but they can be
overcome by a sufficient showing of need by the government.
The government has tried to get this information from other sources and failed.
And so the other thing it would do would be to use litigation, impact litigation in a
court and try and show a court that the First Amendment is valid.
The Second Amendment does apply and to give greater protections because, you know, there's
a quote from one of the founders of this country that I'm going to probably badly paraphrase,
but a popular government without access to popular information is but a prelude to a
farce or tragedy or maybe both.
And what it's meaning by that is that if we're going to have a democracy where people are
voting about, you know, representatives and the representatives are voting about the laws,
but we don't know what's really going on or we don't know what's really going on, then
if we don't have access to full information, then it just becomes a farce.
We're not able to have a functioning democracy without a good amount of information and without
a good amount of transparency.
I just wanted to add one quick thing, which is that one of the reasons why EFF is made
up of activists, technologists, and lawyers is that sometimes the answer is not litigation
or legislation.
Sometimes the answer is technology.
And one of the strongest protectors of technology is technology.
One of the best protections that we can offer to whistleblowers is strong encryption.
And if I could add at a most basic level, something that all of us can do is get in
touch with our elected representatives and simply tell them that this is something that
we consider important.
Now, this is an area where unfortunately for those of us who care about technology,
phone calls are better than e‑mail and personal visits to a member's office are better than
e‑mail, better still.
But they listen.
And on some level, that one constituent took the time to come in and tell them how important
this issue is to them, they see that as representative of thousands of constituents.
Hi.
Regarding technology, patent trolls, kind of a much less important issue than a lot of these
civil liberty discussions, but can you discuss the current situation with some specific patent trolls
claiming ownership of the entire idea of podcasting and podcast protocols and where that kind of
stands legally now, if any of you?
I can't ‑‑ I'll do that to the extent of my knowledge.
I'm actually not the staff patent expert.
We have two of them.
But this was a person who created a pre‑internet audio distribution company.
The idea was ‑‑ I had no idea.
It had something to do with sending audio programs on cassette tape to subscribers in sort of a ‑‑
so I guess sort of an early version of Netflix mailing DVDs.
And this was in the mid‑90s before there was podcasting.
My understanding is that there's ‑‑ there may be some examples.
In patent law, this is known as prior art.
This is evidence that something was invented before the patent owner claims to have invented it.
In other words, their invention was not in fact new.
My understanding is there may be some prior art for podcasting for the ideas that this gentleman is claiming.
And if that's so, then we may be able to get the patent office to nullify that patent.
Which would, you know, probably end the lawsuits and the threats.
And that's what we're pursuing.
Thank you.
Good luck with that.
Yeah.
Well, there's trolling effects, which is ‑‑ which is ‑‑ on the particular thing, the podcasting patent, there is a method we're trying to gather information about prior art that's out there.
I don't remember the content.
But basically, if you look at it.
If you look through our blog post and see the one about this, it will give you how you can submit prior art that you're aware of.
Basically, things from the early to mid‑90s would be particularly useful.
It was like the patent was issued slightly before the Internet Archive started gathering things, which has made it a little bit more difficult to look back at some of the history.
But we still have found some so far and gathering more.
The other site that we maintain on that subject.
And I think it might be of use is called defendinnovation.org.
I have two questions.
One is if you guys might be able to talk about a recent court ruling talking about local law enforcement not being required to have a warrant to track cell phone location.
That just recently came up.
And maybe the reasoning behind that.
And then the second part.
The second question I've got is anything on drones.
You guys published a new list.
I just hadn't heard anything about it.
I was kind of surprised.
All right.
So let me hit the first of those questions about cell phone tracking.
And so, yeah, unfortunately, there was a recent case that was saying that warrants were not necessary.
It was an appellate court decision.
Two out of three said that you didn't need a warrant.
One dissented.
It has actually been a mixed bag out there in the courts.
We've gotten some courts that have agreed that a warrant is necessary to use cell phone tracking.
And I think actually if you look at the recent Supreme Court case from last year, USV Jones was talking about a GPS tracker being used to track someone.
They said a warrant was required for that.
And I think that if that case is properly extended to the cell phone's base, it should come through.
So we've come to a similar conclusion that a warrant is required.
But, yeah, unfortunately there was that decision.
We are continuing to work on this and try and find cases that are going to be good opportunities to show that the Fourth Amendment applies to cell phone information.
Can I add?
Please.
So because I've been here and I've been crazy busy and this case just came out earlier this week, I haven't actually read the opinion yet.
But what I understand from the reporting is that the rationale is that the case is not going to be approved.
The rationale that the Court adopted was based on the third-party doctrine.
And this is something that you guys all ought to know about and really have on your radars.
So the deal is the Fourth Amendment as a general matter, right, protects you against unreasonable government searches and seizures.
And so the government is supposed to have a warrant to search something in which you have a reasonable expectation of privacy unless some exceptions.
Okay?
That's the general rule.
So back in the 70s, the Supreme Court decided a couple of cases, one involving bank records and one involving the numbers that a telephone company collects when you dial a call.
And in those cases, the Supreme Court basically said you don't have a reasonable expectation of privacy in information that you convey to a third party like us.
Like a company, right?
Your bank records, your financial information that you convey to a bank, they create records from.
And the numbers you dial that you convey to a phone company, you don't have any reasonable expectation of privacy in information like that.
And the reason is because you know that you're giving it up.
You're voluntarily giving this information over to them.
And so how can you have a reasonable expectation of privacy in that?
And that has developed into this concept that we call the third-party doctrine.
Which broadly seems to suggest that you don't have any reasonable expectation of privacy in anything that you give to a third party.
In this day and age where we store so much information with companies like Google, Facebook, Microsoft, et cetera, et cetera, et cetera, that's a very dangerous precedent.
And that's something that we need to make go away.
It just doesn't translate to the world we live in now.
And in the case that Kurt spoke about, Supreme Court Justice Sotomayor just really called this out and said this is something that's, you know, we've got to look at.
And so I think you're going to see a lot of cases in the future dealing with this.
And I think the Fifth Circuit, from what I've read, has really gone the wrong way on this because they basically said, well, these are cell phone records and they're stored with your company.
And so that's very problematic.
And I think you're going to hear a lot about this in the coming years.
Yeah.
So speaking of reasonable expectations of privacy, and the next question was about drones.
So recently the FBI responded to, I believe it was Senator Leahy who sent a letter explaining what the standard is for drones.
And they took the position that you did not have a reasonable expectation of privacy against drones.
That is to say that it was not reasonable to expect that you would be private from a drone circling over your house and taking pictures of what you're doing in your backyard.
And they based that on some cases that were involved like manned plane surveillance that had been done in the course of the drug war.
And this is sort of a little bit illustrative of how things have sort of been going in terms of government surveillance is they are looking for cases in which there have been statements about what reasonable expectation of privacy is that have stemmed from some particular circumstances.
And then seeing how far they can be applied.
So they find a court that says that at some point a plane flew somewhere and looked down and there was not a reasonable expectation of privacy on that.
And that also means there could be a drone 24 or 7 hanging over your house.
Like once they establish that there isn't a reasonable expectation of privacy, they could take it to the nth degree and it doesn't matter.
And it really does matter.
Like even though it's entirely possible that a police officer would not be able to do that.
Or would follow you around where you go and, you know, make handwritten notes about where you're going and what you're doing.
This does not mean that it is a good society.
A society, a future that we would want to live in where everybody's movements are tracked all of the time.
And there was a
And so this has made this sort of the third party doctrine, the reasonable expectation of privacy has become outdated.
And it's becoming misused to take some things which be rare, occasional things where there was a natural limit of resource based limit to how much the government can do it when things become cheaper.
They can do it all the time.
And so we're very much working on trying to stop that.
And just to sort of wrap up on drones.
So the people on this panel right now are not our drones experts.
But one of them actually is here.
Our colleague Parker Higgins who is going to be in the contest area.
He's working the CFAA phone booth.
But if you have questions about drones, he knows a lot about them.
At the same time that the NSA panopticon was being discussed, it also seemed to be apparent that the government was going to top tier providers and asking them to give up their encryption keys.
I don't think the subject has gotten to this extent yet.
But what does that do to the concept of non-repudiation and contract law?
Or even a chain of evidence, digital evidence, where our digital identities are now no longer solely our own.
Or to put it another way, if the whole ‑‑
The question is raising sort of the possibility that as you may be,
communicating in what you believe to be an encrypted channel,
that nevertheless someone might be forced to give up the key such that your communications could be decrypted
and that you wouldn't have the level of security that you are coming to.
The phrase I was looking for, if you backdoor key escrow,
does my digital identity, my uniqueness and non‑repudiation suddenly evaporate and become negligible as a point of law?
Well, I have not thought of it in terms of the digital identity,
because usually what we have been hearing about is more on the sort of encrypting communications,
not as an encryption method, not as a digital signature method.
But nevertheless, it is quite troubling that we have a number of systems that are designed to be able to encrypt communications
using a public key infrastructure and certificate authorities,
and these systems have a lot of problems.
And I think what Dan was talking about earlier is some of our attempts to try and at least understand and investigate those problems.
I guess we can put it this way.
The more that is known and revealed about government access to encryption keys,
the more likely it is that a good lawyer in a contract dispute
or anything involving a chain of digital evidence will be able to convince a jury
that the contract was forged or that the evidence was manufactured.
So that risk will increase.
Thank you.
Just to quickly add one last point to that.
I think that it's a really good question.
I understand you as saying providers having to give over their private encryption keys to law enforcement.
And I think that this is ‑‑ there's kind of a hole right now in terms of statutes about this.
So law tends to focus on user data.
But there's a big question mark about, well, yeah, you can get user data if you have these keys.
And are companies forced to hand over the keys under various warrant or subpoena circumstances?
And I think there's just a lot of unclarity about that right now.
And it's something that is really alarming.
I also want to add just sort of one sort of general point on this is that, you know,
companies may be required to provide some technical assistance to the government when they want a wiretap.
Right.
But there's also a notion that they shouldn't be required to break their services.
And I think if your service involves providing encrypted communications and you're not actually providing it,
that may break the service and that may be an available argument.
Thank you.
Hi.
So since this Snowden revelation, I've been trying to think about ‑‑ there's three different contexts for this.
One is for data retention.
So there's this NSA program that we just learned about.
And then there is the data retention that my service provider is already doing of my metadata of their own volition.
And then there's ‑‑ and this is in the United States.
And then there's internationally how data retention works.
And my understanding is that in Europe it's more regulated than it is here.
And so I wanted to ask if you would mind sort of characterizing the difference between those three contexts in terms of, you know,
how long my data is retained and, you know, how it's exposed to access by the government.
With an eye to what you think the right answers are.
So I can talk a little bit.
And if you wanted to add.
So Europe I understand is kind of a mixed bag because there is greater protection in terms of user data and how it's handled.
But on the other hand, there are also mandatory data retention laws which we do not have in the United States.
So it's kind of a double‑edged sword.
But beyond those mandatory data retention laws, I think as I said earlier, it's kind of the wild west in the private sector.
So it's just sort of up to the company how long they want to retain your data.
And they can have privacy policies right now which, you know, disclose that.
And if they break those privacy policies, they're opening themselves up to FTC complaints or possible other lawsuits, class action lawsuits and this sort of thing.
But basically there's no information.
In terms of ‑‑ or there's no limit to what data they can retain.
On that front, I think the right answer is a lot of transparency from companies and also ensuring that we don't pass a mandatory data retention law.
So if a VPN doesn't want to keep data, they shouldn't have to.
So I think that's the way that we should be going for the private sector.
With respect to government data, I don't know if someone else wants to add.
But I also think that there's no clear rules about it.
I think there's one more important point to make about the private sector in the United States, especially in Silicon Valley where you have a lot of startups.
And people are sitting on a lot of user data.
There is a tendency among engineers to want to save everything.
Because you never know when it's going to be useful.
Yeah.
In fact, your company might go completely under.
And then that might happen.
It might be the only thing that you can sell.
So there's a very strong push to retain as much data as possible for as long as possible.
Saving data is cheap.
Backups are cheap.
The consequences of not having the data when you need it are dire.
And deletion is computationally expensive.
So usually when sort of Silicon Valley companies have a choice between storing everything indefinitely and finding some way to regularly delete it,
they will choose to just store it all indefinitely because it's easier.
It's not a conspiracy against user data.
It's not a conspiracy to make things more convenient for the government.
It's the ‑‑ if you've ever walked into an engineer's office and seen piles of paper and noticed that they never throw anything away,
this is just sort of an outgrowth of that.
And in some ways that is potentially very, very worrying.
Because even if you don't have mandatory data retention,
in this manner, sometimes you wind up having defacto data retention.
And so to address the government storing and end of it,
I mean, the question is, are they supposed to have it in the first place?
And the problem with some of these sort of mass storage things that have been confirmed recently with reports about the NSA,
getting just gigantic piles of paper.
So five years, that's what they say they're doing.
Except actually if your information is encrypted, then it's until it's decrypted.
So they'll keep it around forever.
Or at least until they figure out how to decrypt it.
So the problem is really that they get it in the first place.
That they should only be able to get the information when they meet legal standards.
And then only keep it so long as it is needed for that valid purpose.
If that helps answer the question.
With regards to the development of U.S. cyber warfare,
I guess you could say architecture, maybe.
I don't really know if that's the correct word.
But it seems like that our government has been penetrated multiple times by groups like LulzSec.
While at the same time we've developed advanced cyber weapons like Stuxnet.
And now regularly are tapping into other countries.
Could you speculate on that?
Yeah, sure.
I can speculate on that.
We don't have to speculate.
Because the White House released this thing called the Presidential Policy Directive.
And it's a document that the president creates that instructs the divisions and the cabinet agencies about what the policy is for the administration.
And so the document.
Actually, as part of the Snowden leaks, what came out was this.
It was a classified presidential policy directive.
It was the Presidential Policy Directive number 20.
And what it did was it kind of confirmed what a lot of academics and security researchers, people who were watching where the government is going with kind of this online warfare and virus making, malware making.
And what it did is it revealed that they.
Have pretty much routinized the processes and are beginning to study and look into and create working groups for how the government is going to deal with this and what the government is going to do.
Before this document we saw very vague outlines, right?
Like the U.S. government will follow the laws of war.
And the U.S. government would follow, we will follow the U.N. conventions and international law.
What this document revealed was it kind of got into much greater detail on what the government is doing, how they will act in defense if they suppose any sort of exfiltration of data or if they suppose they're under any type of attack.
And the document provided a pretty good foundation for how they justify Stuxnet.
And we also know now, within the past couple of weeks, right?
That one of the generals is being investigated over leaking the fact that Stuxnet was a U.S. Israeli project.
And so, you know, we, what we're seeing right now and what we're paying much attention to and fighting against is this increased militarization of the Internet.
It was something that was always kind of in the background.
It was something that we were always hesitant and watching and thought about.
A lot was happening.
But what we're seeing now is that, yes, it's happening.
The government is creating these things.
And there's hardly anything to be regulating it or figuring out how to stop it and what to do about it.
Because we don't know what they're doing.
And so what I think is going to happen and what, you know, especially part of the transparency efforts we're fighting for is to talk with the government and issue kind of these policy papers.
And what we think, you know, should happen in this area and what we think really shouldn't happen with the increased militarization of the Internet.
Because especially with Stuxnet, you know, flame is another good example.
When you use malware, when you use an online virus, it is very different.
Because you're no longer ‑‑ you can try as hard as you may to target a foreign nation state or something you want to exfiltrate from a government.
But it's hopping the network.
Right?
And it's hopping the network into the public sphere.
And it's causing citizens and it's causing individuals who are not associated with the government and who aren't supposed to be your targets.
And it's something that's very dangerous that's happening.
I just wanted to interrupt for a second, rudely, and talk a little bit about the rhetoric of cyber warfare.
One of the very interesting things that came out of the presidential directive was this sort of declaration.
That cyber space had been sort of declared to be a theater of war.
And I think that one of the biggest problems when it comes to talking about this stuff with the U.S. government is that there is an entire culture of people who say cyber.
And ‑‑
Which is generally a good sign that you're talking to someone who has very little in common with the Electronic Frontier Foundation.
And the biggest problem with the term cyber warfare is that ‑‑
Packets are not bullets.
And as a general rule, they do not kill people.
And once you start using the rhetoric of warfare and guns and bullets and cyber bombs and cyber shields and cyber tanks or whatever it is they are using ‑‑
Cyber Pearl Harbor.
Cyber Pearl Harbor.
I'd really like to know what the hell this Cyber Pearl Harbor is that we've been promised for so many years.
So, yeah.
Once you start using this kind of rhetoric, it leads you to all kinds of very erroneous conclusions about
what kind of protections we need and what the U.S. can do and what the U.S. is justified in doing in protecting sort of the American Internet.
In as much as there is an American Internet.
So I'm generally very wary of the term cyber warfare and anything that begins with cyber and the entire war rhetoric.
Because I think it really frames the whole thing.
It frames the problem in a highly misleading way.
I'll just add, I was seriously blurring the distinction between civilian and military when it comes to the Internet.
A lot of the things that we've been reading about, you know, sort of proposed protections for the U.S. and for U.S. cyberspace have to do with protecting U.S. companies' trade secrets.
And honestly, as far as I can tell, that's not a valid military objective.
You know who protects companies' trade secrets?
Companies.
Who have, hopefully, many people employed to protect their own security.
This should not be something that American tax dollars pay for.
And this should not be something the U.S. military does.
Thank you.
My question is regarding the EFS thoughts about the preemptive web filtering that's happening in the U.K.
It was originally slated as being for pornography blocking but has since revealed to be spread to other subject matter.
And what, if any, actions are being taken in regards to that?
Thank you.
Oh, British Internet, we can't take you anywhere.
What's particularly interesting about the U.K. pornography filters is, to begin with, these are not mandatory filters in any way.
But what's happening is that every household in the U.K. will have porn filtering turned off.
And porn is turned on by default by the major ISP in the U.K.
And if you want porn, you have to make an affirmative decision to contact your ISP and ask for porn.
And they really don't see what the possible chilling effect of such a thing might be.
And really the chilling effect shouldn't matter because children.
.
Needless to say, porn is not a crime.
Let's say this is a terrible idea.
EFF frequently comes out against porn filtering.
We think that porn filtering is fine if you decide to put it on your computer on your network.
But having this sort of tyranny of defaults in which you have to make a rather public disclosure to someone else that you want porn is highly problematic and poses a potential chilling effect.
Not to mention that it looks like the filters are blocking things other than just porn.
And that this really gives the power to censor the Internet to these ISPs and to the people who are building the black lists.
And we think that black lists in general are a very terrible idea.
They don't work and they block all the wrong stuff.
So I'm actually from the U.K.
Awesome.
Would you like porn?
So I am really looking forward to moving back into my parents' new house.
And finding one of two situations.
Either the porn filter is off and I'm hung out to dry or the porn filter is off and I know something about my dad that I didn't need to know.
To be fair, you may also know something about your mom.
Sorry.
My bad.
She can't really use computers.
So secondly, I just wanted to sort of add to your point about data retention.
You said that with a lot of these startup companies,
you know, data can be, if a company goes under, the only thing they have left.
I would actually, I'd add to that, I would say that data is the only commodity they have in the first place.
And the best way to make sure it doesn't get into the wrong hands is just not to give it to them.
My real question was about PRISM.
So being from Europe, you guys actually have nothing to worry about as American citizens.
Because PRISM doesn't actually target you guys.
If what the NSA says is to be believed.
If they believe that you have a 51% chance of being foreign.
Right.
Then you are a legitimate target.
So as a foreigner.
More than 51%?
Yeah.
This is really strange.
Because, you know, more than a billion people around the world using Facebook.
You know, the U.S. has effectively almost 100,000 users.
Almost, I mean, I hate to use this word.
Because like you say, it's kind of inappropriate.
But they have kind of declared war on the world.
By, you know, having all of this data stored in the private companies within your borders.
And yet you have access to all of it.
So what can we from, well, firstly, is the European government doing anything?
Do they have a leg to stand on at all?
And is there anything we can do to support them?
Well, let me talk about PRISM real quick.
A lot of the time when, you know,
American NGOs and civil liberties organizations talk about PRISM,
it's very focused on outrage over the NSA spying on Americans.
And the reason why this outrage is so focused is because
spying on Americans is very clearly outside of what the NSA was originally entitled to do.
It is outside of its purpose.
And so it is very, very clearly illegal.
Now, what about the rest of the world?
A lot of these NGOs will simply leave the rest of the world out to dry.
They'll say the NSA exists to spy on the rest of the world.
And we can't get all upset when it runs around spying on non-U.S. persons.
And on this particular point, I disagree.
Just because you are a non-U.S. person doesn't mean that you suddenly don't have rights.
And not just, you know, it's not like the Bill of Rights and the U.S. Constitution
and U.S. law are the only law on earth.
And in fact, it seems very likely that the NSA's wiretapping has,
or the NSA's sort of dragnet surveillance does infringe on the privacy rights
of hundreds of millions of Internet users all over the world.
The problem is that it's very unlikely that we're going to get any kind of legal recourse for it.
There's simply nowhere for us to go.
To appeal having our basic human rights violated as non-U.S. persons.
What we can do is use strong encryption.
And also there has been a great deal of talk within governmental bodies all over the world
looking into the state of NSA surveillance.
There was a bill proposed.
I think a bill actually made it to the floor earlier this week.
In Mexico.
There have been a number of proposals in the EU.
People are really quite riled up about this.
And it's possible that we will see some legislation in other parts of the world.
Especially because one of the key parts of the NSA, of the revelations that we've seen about NSA spying
is that we're not just running around spying on non-U.S. persons who are a threat to the U.S.
We're also spying on our allies.
And needless to say,
that this makes our allies,
including the Five Eyes,
including the U.K.,
somewhat outraged.
So the question line is back.
Am I good to go?
You're just going to keep it in order here.
And sometimes we may have to return to a follow-up question.
But I think people have been waiting.
She didn't want to ruin a good thing.
But in terms of the privacy movement,
I kind of have a two-part question.
I think in information security,
we're very aware of all the implementations,
or however you say it,
of what can happen with all this data.
But how do you get someone that just goes on Facebook
and looks at pictures of cats all day
to really understand what this means?
And what is the next step for the privacy movement,
like Project MeshNet or something?
What should we be working on in the meantime?
All right.
I guess before we get to the legal aspects of this,
which Kurt will address shortly,
I think that it's a misnomer.
It's a misunderstanding to say that people these days
either don't understand the privacy that they're giving up
or don't care about the privacy that they're giving up
when they use social networks like Facebook.
And I can say this because I talk to people all over the world
all the time about their concerns about this very issue.
If you want to see somebody who has a deep and intrinsic understanding
of every single one of Facebook's privacy protections
and how they work,
look at a teenager whose parents have just friended them on Facebook.
They know how that stuff works backwards and forwards
and they keep up with every last update
because they are very interested in making sure
that they maintain their privacy
from people who really shouldn't know what they're doing
out on a Saturday night.
And I think that this is also true for other people
who have things to lose by losing their privacy.
People are very aware.
They're smarter than we give them credit for.
And really the task that we have as privacy trainers
is just to give them the right tools to use
in order to protect themselves
and also to help them understand their threat model,
help them understand
what information it is that they're trying to protect
and who they're trying to protect it from.
And if you give users that information
they can usually make smart decisions
about what to do with their privacy.
I just wanted to add on to that.
How do we make them care considering the NSA thing?
The spying, right?
How do we make them really care considering
in other countries they protested the spying
but we realistically didn't do as much of
putting forth an effort as much?
I'll address this.
We only have a few minutes remaining in the session
so I'm going to try and address this briefly.
I think actually we also have to cut off the question line.
But one of the things that I think has helped resonate
this issue when I've talked to people about it
is talking about privacy in terms of control
of your information.
To get away from whether it's something
that you have to hide in particular
but don't you want to have it so your information
only goes to the people that you want it to go to
and not to the ones that you don't.
That you have a sense of autonomy
and control in where your information goes
and what the spying is doing
is taking away that autonomy
and giving control away to somebody else.
So I found that has been helpful.
I would also, sorry, just add that
I think people, just to reiterate what Eva said
but add on that at least I don't know
how much people trust polls
but there's been a slew of polls
in the past few weeks that have been released
that by Pew, Gallup, Washington Post
and a few others
that really shows a clear change
in people's attitudes,
the larger American public's attitudes
towards the government privacy
and towards the NSA spying in particular.
And so I think the job is to continue
to hammer home what we've been saying
and what we've been talking about,
talking about the lawsuits
and what exactly is metadata
and things like that
because at least from these recent polls
we're seeing, I think we're seeing
for the first time since maybe 9-11
where the larger public shift towards privacy
and shift towards kind of this government
surveillance regime is changing.
There's an active ongoing petition
on the whitehouse.gov website
to pardon Edward Snowden.
Last time I checked it had 132,000 signatures.
Is that just an empty gesture?
Is that a valuable tool
or does that come up with a,
a free IRS audit for all the signatories
of the petition?
I just wanted to know about
what, if anything, the government has to do
to respond to that petition.
Well, I just want to take the chance
to talk about the White House petitioning system
because it's something that I don't think
a lot of people know about.
But the We the People site,
the White House petitioning site
is a massive emailing list
for Barack Obama's campaign.
So you give them your information
and they harvest all your data,
is my quick ten seconds.
So you should always watch out
when you sign those petitions
because it's essentially a campaign tool
for the president's political operation.
So we have like one minute remaining,
so I guess one more question
and then thanks for being in line.
We can talk to you afterwards,
but we're going to have to move.
So, sir.
Yeah, question and comment.
So Congressman Rick Holt of New Jersey
has introduced legislation
to roll back the surveillance state,
which asks for repealing the Patriot Act,
repealing FISA amendments act,
not having requirement to have back doors
and telecommunication equipment,
and then one more item.
What do you see as the prospects for that bill?
Well, Representative Holt's bill
is one of the strongest bills
presented in Congress thus far.
The only...
kind of nuance with the bill
is that it completely obliterates...
The government has some sort of need
for a grand jury subpoena
to get some sort of information,
and so Representative Holt's bill
doesn't have that in it
because there should be a process
by which that happens,
but it's the strongest bill thus far,
and it's just another indication
that Congress is going to tackle this issue
and knock on wood,
I think they're going to fix the problem.
Very quick comment
because it's relevant to this.
He's standing for election
for the U.S. Senate
in the special election in New Jersey.
In the Democratic primary,
which is on August 13th.
And if people want to support him...
So we're actually...
We're out of time.
So thank you all for coming.
It's wonderful to see you here.
Thank you.
It's great to be here.
It's an interesting day.
